Files
wehub-resource-sync bcbd1bdb22
Test (Python) / test-python-gate (push) Blocked by required conditions
Test (TypeScript) / test-typescript-gate (push) Blocked by required conditions
CLI exit codes / cli-gate (push) Blocked by required conditions
Test (Install) / test-install-gate (push) Blocked by required conditions
Integ / integ-gate (push) Blocked by required conditions
CLI exit codes / Python CLI (push) Waiting to run
Integ / changes (push) Has been skipped
Test (Install) / python-minimal (3.11) (push) Waiting to run
Test (Install) / python-minimal (3.12) (push) Waiting to run
Test (Install) / python-extra (chroma, mirage.resource.chroma) (push) Waiting to run
Integ / integ-ts (push) Waiting to run
Integ / integ (push) Waiting to run
Test (Install) / python-extra (deepagents, mirage.agents.langchain) (push) Waiting to run
Integ / integ-database (push) Waiting to run
Test (Install) / python-extra (email, mirage.resource.email) (push) Waiting to run
Test (Install) / python-extra (hdf5, mirage.core.filetype.hdf5) (push) Waiting to run
Integ / integ-ssh (push) Waiting to run
Pre-commit / pre-commit (push) Failing after 1s
CLI exit codes / changes (push) Has been skipped
Test (Install) / changes (push) Has been skipped
CLI exit codes / TypeScript CLI (push) Waiting to run
CLI exit codes / Cross-language snapshot interop (push) Waiting to run
Test (Install) / python-extra (agno, mirage.agents.agno) (push) Waiting to run
Test (Install) / python-extra (databricks, mirage.resource.databricks_volume) (push) Waiting to run
Test (Python) / changes (push) Has been skipped
Integ / integ-database-ts (push) Waiting to run
Test (Install) / python-extra (fuse, mirage.fuse.mount) (push) Waiting to run
Integ / integ-data (push) Waiting to run
Test (Install) / python-extra (lancedb, mirage.resource.lancedb) (push) Waiting to run
Test (Python) / test (push) Waiting to run
Integ / integ-fuse (push) Waiting to run
Test (Install) / python-extra (langfuse, mirage.resource.langfuse) (push) Waiting to run
Test (Python) / import-isolation (deepagents, openai, mirage.agents.openai_agents) (push) Waiting to run
Test (Python) / audit (push) Waiting to run
Test (Install) / python-extra (hf, mirage.resource.hf_buckets) (push) Waiting to run
Integ / integ-ssh-ts (push) Waiting to run
Test (Install) / python-extra (mongodb, mirage.resource.mongodb) (push) Waiting to run
Test (Python) / import-isolation (deepagents, pydantic-ai, mirage.agents.pydantic_ai) (push) Waiting to run
Test (TypeScript) / changes (push) Has been skipped
Test (Install) / python-extra (nextcloud, mirage.resource.nextcloud) (push) Waiting to run
Test (Install) / python-extra (openai, mirage.agents.openai_agents) (push) Waiting to run
Test (Install) / python-extra (openhands, mirage.agents.openhands, 3.12) (push) Waiting to run
Test (Install) / python-extra (parquet, mirage.core.filetype.parquet) (push) Waiting to run
Test (TypeScript) / test (push) Waiting to run
Test (Install) / python-extra (pdf, mirage.core.filetype.pdf) (push) Waiting to run
Test (TypeScript) / python-fs-shim (push) Waiting to run
Test (Install) / python-extra (postgres, mirage.resource.postgres) (push) Waiting to run
Test (Install) / python-extra (pydantic-ai, mirage.agents.pydantic_ai) (push) Waiting to run
Test (Install) / python-extra (qdrant, mirage.resource.qdrant) (push) Waiting to run
Test (Install) / python-extra (redis, mirage.resource.redis) (push) Waiting to run
Test (Install) / python-extra (s3, mirage.resource.s3) (push) Waiting to run
Test (Install) / python-extra (ssh, mirage.resource.ssh) (push) Waiting to run
Test (Install) / ts-minimal (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 12:30:44 +08:00

201 lines
7.3 KiB
Python

# ========= Copyright 2026 @ Strukto.AI All Rights Reserved. =========
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ========= Copyright 2026 @ Strukto.AI All Rights Reserved. =========
import time
from dataclasses import dataclass
import jwt as pyjwt
import pytest
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from httpx import ASGITransport, AsyncClient
from mirage.server import build_app
from mirage.server.auth.config import AuthConfig, JWTConfig
@dataclass
class KeyPair:
private_pem: bytes
public_pem: bytes
@pytest.fixture(scope="module")
def rsa_keys() -> KeyPair:
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048)
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
public_pem = private_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
return KeyPair(private_pem=private_pem, public_pem=public_pem)
def _client(app, headers=None):
transport = ASGITransport(app=app)
return AsyncClient(transport=transport,
base_url="http://test",
headers=headers or {})
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_local_mode_accepts_correct_bearer():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local",
local_token="correct-token"))
async with _client(app, {"Authorization": "Bearer correct-token"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 200
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_local_mode_rejects_wrong_bearer():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local",
local_token="correct-token"))
async with _client(app, {"Authorization": "Bearer wrong-token"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_local_mode_rejects_missing_header():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local",
local_token="correct-token"))
async with _client(app) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_local_mode_no_token_lets_everything_through():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local", local_token=None))
async with _client(app) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 200
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_token_mode_accepts_correct_token():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="token",
bearer_token="operator-pat"))
async with _client(app, {"Authorization": "Bearer operator-pat"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 200
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_token_mode_rejects_wrong_token():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="token",
bearer_token="operator-pat"))
async with _client(app, {"Authorization": "Bearer something-else"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_token_mode_rejects_jwt_shaped_value():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="token",
bearer_token="operator-pat"))
fake_jwt = "aaaa.bbbb.cccc"
async with _client(app, {"Authorization": f"Bearer {fake_jwt}"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_jwt_mode_accepts_valid_signed(rsa_keys):
jwt_cfg = JWTConfig(key=rsa_keys.public_pem.decode(), algorithm="RS256")
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="jwt", jwt=jwt_cfg))
token = pyjwt.encode({
"sub": "agent",
"exp": int(time.time()) + 60
},
rsa_keys.private_pem,
algorithm="RS256")
async with _client(app, {"Authorization": f"Bearer {token}"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 200
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_jwt_mode_rejects_opaque_bearer(rsa_keys):
jwt_cfg = JWTConfig(key=rsa_keys.public_pem.decode(), algorithm="RS256")
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="jwt", jwt=jwt_cfg))
async with _client(app, {"Authorization": "Bearer not-a-jwt"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_jwt_mode_rejects_expired(rsa_keys):
jwt_cfg = JWTConfig(key=rsa_keys.public_pem.decode(),
algorithm="RS256",
clock_skew_seconds=0)
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="jwt", jwt=jwt_cfg))
token = pyjwt.encode({
"sub": "agent",
"exp": int(time.time()) - 60
},
rsa_keys.private_pem,
algorithm="RS256")
async with _client(app, {"Authorization": f"Bearer {token}"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_health_endpoint_always_open():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local",
local_token="some-token"))
async with _client(app) as c:
r = await c.get("/v1/health")
assert r.status_code == 200
@pytest.mark.no_auth_override
@pytest.mark.asyncio
async def test_authorization_header_without_bearer_prefix_rejected():
app = build_app(idle_grace_seconds=10.0,
auth_config=AuthConfig(mode="local",
local_token="correct-token"))
async with _client(app, {"Authorization": "correct-token"}) as c:
r = await c.get("/v1/workspaces")
assert r.status_code == 401